On 2017-06-16 at 10:27, Binarus wrote:
> Here is where my worry begins. AFAIK, all PGP variants are using RSA key
> pairs. A public X.509 certificate is just a container for such keys (and
> possibly has information about the certificate chain). Given that, in my
> naive world, it should be no problem to extract that public PGP key from
> the certificate; the goal would be to gain the "pure" key which then
> could be added to the traditional PGP (Enigmail / gpg4win) world.
>
I wouldn't try to transform an X.509 certificate into an OpenPGP
certificate for the reasons already talked in here.
If you want to use OpenPGP, tell your partner to make an OpenPGP
certificate using GnuPG or any OpenPGP supported software. You can them
make PGP/Inline or PGP/MIME (if your email client/plugin supports it,
Enigmail does) email.
If you want to use the X.509 certificate of your partner, you must use
an X.509-supported client to generate a certificate (OpenSSL normally
but Kleopatra, which comes by default with Gpg4Win unless selected
otherwise, also allows you to generate an X.509). Normally, email
software support S/MIME messages and there is no need for an extra
plugin. Thunderbird does so by default and you can configure your X.509
from the Security section of your account settings.
The problem with an X.509 is that it usually requires a Certificate
Authority (CA) to make a trusted signature. Comodo allows you to sign-up
for a free certificate X.509 certificate for each of your personal
emails. There may be others, some paid.
> Unfortunately, I didn't find any hint on how to extract that key. It is
> in the certificate for sure, and I think I will eventually be able to
> dump it after playing some time with OpenSSL, but then I eventually
> won't know how to integrate it into Enigmail / gpg4win.
>
Enigmail only works with OpenPGP-related keys.
gpg4win is only a suite of GnuPG related software, with GPGSM for the
management of X.509 certs. Kleopatra is only a front-end GUI client for
both OpenPGP and X.509 operations with the respecting GnuPG tools.
> Furthermore, I am still not sure if this is just a matter of
> transforming the key or if the whole software / data exchange protocol
> depends on the sort of key. In other words, even if I would manage to
> extract the key and to integrate it into the Enigmail / gpg4win world,
> would the communication partner be able to decrypt the respective messages?
>
As said above, if your partner uses X.509 then use X.509. If you want to
use OpenPGP tell him to make an OpenPGP key.
If he tries to decrypt a PGP/Inline or PGP/MIME message using an S/MIME
client it won't work. He'll need a PGP/Inline or PGP/MIME compatible
software for that (Thunderbird with Enigmail; Claws Mail, Mutt, etc...).
>> For GnuPG to use KBX format, you must have the modern branch which is
>> 2.1 and later. For that, you need to use the experimental version of
>> Gpg4Win:
>> This is a very important hint. I didn't even know that such a branch
> exists. An average user visiting their website mainly for downloading
> their software won't see any hint regarding that ... or I have missed
> something.
>
It was announced on the mail-list of Gpg4Win. But you can also find the
Beta directory link in the mid part of "All Downloads" section in the
Download page.
> Using gpgsm on the command line is not what I would like to in my daily
> email routine (although I am a strong fan of the command line in other
> situations).
>
If you want to manage certs with GUI client use an S/MIME-supported
email client, which you do with Thunderbird, or Kleopatra for X.509 as I
said above.
> Slightly off-topic: Does anybody eventually know if and when Enigmail /
> gpg4win will support certificates?
>
And to reiterate again, Enigmail, as far as I know, will only support
OpenPGP certificate or keys.
Gpg4Win supports X.509 by using the GPGSM CLI tool or Kleopatra as a GUI
front-end but for S/MIME emails I would recommend an email client like
Thunderbird.
--
Juan Miguel Navarro Martínez
GPG Keyfingerprint:
5A91 90D4 CF27 9D52 D62A
BC58 88E2 947F 9BC6 B3CF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170616/daf064df/attachment.sig>